Thank you for Subscribing to CFO Tech Outlook Weekly Brief

Changing the Organizational Mindset to address Fraud and Cyber Security

By Christopher Uriarte, CIO, Aon, Cyber Solutions Group

Christopher Uriarte, CIO, Aon, Cyber Solutions Group

It’s been nearly three decades since modern, sophisticated fraud detection systems have been widely deployed within banks, credit card processors, brokerages, online merchants and anyone else who sits within the increasingly-complex financial systems ecosystem that keeps commerce moving around the world. And while these systems continue to become increasingly more sophisticated and capable at handling new types of fraud, it is almost guaranteed that fraud techniques will continue to evolve quickly. As a result, there continues to be much evolution in the financial fraud detection space today.

In parallel, as more financial systems have become connected to the outside world via the Internet, amassive global cybersecurity threat has produced a multi-billion-dollar criminal industry that has put companies out of business, threatened individual lives and altered political landscapes throughout the world. According to Aon’s 2019 Aon Global Risk Management Survey, which surveys risk management professionals around the globe, cyber security risk is the #1 concern among North American companies.

The Great Divide: Fraud vs. Security

There’s traditionally been a distinction made between the world of fraud versus the world of cybersecurity. While both are considered criminal activities, cybersecurity criminals have traditionally been perceived as the stereotypical “hackers,” with the deep technical skills required to infiltrate and exploit critical systems. Fraudsters, on the other hand, have often been placed into a separate category, covering everything from simple credit card theft to complicated social engineering schemes to defraud individuals and large companies alike.

"The most forward thinking technical organizations today have started to shift their focus to implementing an across-the-board, holistic risk management strategy"

As a result of this thinking, organizations have often separated fraud teams from cybersecurity teams, which has often resulted in a significant divide between the tools, technologies, techniques and intelligence used to combat each discipline. This may have been fine ten years ago, but there continues be an ever-thinning line drawn between the two areas. As organizations evolve their security and fraud strategies, they can greatly benefit by looking for ways to find synergies between all of their risk-related programs.

Shifting the Mindset to Holistic Risk

The most forward thinking technical organizations today have started to shift their focus to implementing an across-the-board, holistic risk management strategy. In tactical terms, this means that they are starting to break down barriers between the cybersecurity and fraud functions and implementing cross-functional teams that help look at risk across all network, system, application and product assets. For example, in many credit card issuing banks, the cybersecurity team often reports to a CIO or COO function, while credit card fraud detection or investigation teams often report to a business unit or CRO function. On a daily basis their operations, intelligence and processes rarely touch and, even in the most mature banks, collaboration between the two groups is often only limited to when incidents occur.

In a more progressive model, organizations need to look at holistic risk and build teams that are effective and agile enough to address all possible interlinked risks between multiple function areas. Threat intelligence and indicators of compromise should be shared between all parties and systems should ideally be able to analyze threats in automated systems. For example, if a fraud team detects suspicious login activity from a specific IP address and device fingerprint, this information should be shared with a cybersecurity team to further analyze potential threats coming from these actors.

While it’s often difficult to break down the walls between traditional fraud and cyber organizations due to historical, cultural or budgetary reasons, organizations can start small by focusing on greater collaboration between teams, coupled with simple data sharing strategies. An hour-long knowledge sharing session between security engineers and fraud analysts can result in significant benefits. A single criminal case identified from this type of collaboration could easily result in a savings that far exceeds the time invested in such an exercise.

The Market Approach Today

The current shift in mindset that I’ve been describing has impacted my organization’s go-to-market strategy significantly over the past several years. Aon Cyber Solutions Group is a full-service cybersecurity firm that helps provide proactive and reactive cybersecurity solutions for many of the largest enterprises in the world. However, our product and service offering has evolved over the years to also focus on comprehensive risk management, rather than purely “technical” cyber remediation work. Clients are looking for service providers that can assess the full spectrum of risk that exists within an organization, while proposing practical solutions to address them. In addition, the stakeholders we typically interact with have evolved from primarily the CISO/CIO roles to a wide variety of stakeholders, including CFOs, CROs and business owners. This further reinforces the notion that fraud and security is no longer a concern that should only live within the CISO/CIO realm of an organization, but should engage all aspects of the C-Suite.

The reality of the world is that it’s nearly impossible to solve every risk with technical solutions, no matter the size of the budget or intelligence of your teams. As a result, we’ve evolved and enhanced our approaches to offer clients a combination of proactive advisory work, world-class cybersecurity technical services and risk transfer (insurance) solutions to address all risks across the spectrum. Whether you are using an outsourced service provider or building an in-house team, we advise that all organizations use a similar approach to ensure you are protected before an incident, and are sufficiently prepared to handle the recovery and remediation necessary after a major fraud or security incident occurs.